[Dovecot] Logging passwords on auth failure/dealing with botnets

dovecotmail dovecotmail at edschooler.com
Fri Aug 23 03:50:19 EEST 2013


Have you or anyone else tried fail2ban?
I haven't had any break-in attempts since going to Dovecot yet, But with 
qpopper it didn't work very well unless it hit an actual user on the server.
Then it would block the IP for a predetermined set amount of hits on 
that username then it block for the time I set it to.

Just curios........


On 8/22/2013 9:45 AM, /dev/rob0 wrote:
> On Thu, Aug 22, 2013 at 04:16:51PM +0000, Michael Smith (DF) wrote:
>> Or another option, is there any good DNS based RBLs for botnet IPs,
>> and is there any way to tie that in to the dovecot auth system?
>> I've been looking for botnet rbls, but what I've found so far
>> doesn't seem to work very well.  Most of the IPs that I've had to
>> firewall don't exist in them.
> I guess I would first have tried Spamhaus XBL, but I guess you
> checked that already.
>
> The problem with using XBL, anyway, is that you might have legitimate
> logins from listed hosts. Example: a traveler using hotel wifi. We
> (TINW) really would need a new DNSBL type (or a special result) for
> this sort of abuse.
>
> It's a nice idea, worth building upon, if someone can fund it (or
> find the time to develop it, which really amounts to the same thing.)
> Imagine also a Dovecot network of reporters, where brute force
> attempts worldwide are reported from Dovecots to the DNSBL, not
> merely a one-way tie in.
>
> I'd also suggest listing SSH brute force attacks in the same DNSBL,
> possibly with a different result (127.0.0.$port, so IMAP attackers
> list as 127.0.0.143, SSH attackers as 127.0.0.22. Yes, we'd have to
> incorporate the third quad for ports > 255, but the general idea is
> for result codes to be both machine and human readable as much as
> possible.)



More information about the dovecot mailing list